MFA in Entra is not working, or users are not being prompted for MFA!

Moritz 20 Reputation points
2024-11-26T23:43:58.1333333+00:00

Hello Community,

I am facing issues with enabling MFA for users in Microsoft Entra. We cannot use "Conditional Access" with our Microsoft 365 Business Standard licenses as they only include "Entra ID Free". I do not want to activate "Security Defaults" because, as I understand it, all users would be forced to use MFA at once, and I would not be able to distribute it in a controlled manner. "Per-user multifactor authentication" seems to be new in Entra since October and would suit me best. However, it would be better to gradually add a few users to a group and use additional options, as it seems possible under "Multifactor authentication" in conjunction with "Authentication methods". However, all configurations fail. Users are never prompted to use MFA, even though the "Migration status" is set to "complete". Only in the legacy MFA, which now seems to be disabled, was I able to force users to use MFA.

Are "Multifactor authentication" in conjunction with "Authentication methods" not standalone options, but rather tied to "Conditional Access", "Security Defaults", and "Per-user multifactor authentication"? I cannot understand this, but I have come across this information during my research.

Or should I be able to offer MFA to users with "Multifactor authentication" in conjunction with "Authentication methods" independently of CA, etc.? If so, why are users not being prompted to use it? I have researched and tested a lot. I am happy to provide further details if needed.

Thank you

Regards

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
7,417 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,321 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,524 questions
{count} votes

Accepted answer
  1. Marti Peig 525 Reputation points Microsoft Employee
    2024-11-27T13:30:31.3166667+00:00

    Hi Moritz,

    Can you confirm this is happening with users which have the per-user MFA status Enforced? Per-user MFA has three status (disabled, enabled, enforced).

    All users start out Disabled. When you enroll users in per-user Microsoft Entra multifactor authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced. Administrators may move users between states, including from Enforced to Enabled or Disabled.

    If per-user MFA is re-enabled on a user and the user doesn't re-register, their MFA state doesn't transition from Enabled to Enforced in MFA management UI. The administrator must move the user directly to Enforced.

    You have more information in https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates

    Also, check service settings and make sure you are not skipping MFA for trusted IP addresses, or when the remember MFA on trusted devices feature is turned on.

    Cheers


2 additional answers

Sort by: Most helpful
  1. BANDELA Siri Chandana 755 Reputation points Microsoft Vendor
    2024-11-27T12:47:32.9333333+00:00

    Hi @Moritz

    Thank you for posting your query on Microsoft Q&A.

    I understand you don't want to activate the security default since you just want to enable MFA for a specific user. Then, regarding Per-user MFA, you stated that the "Migration status" is set to "complete". This means that you cannot use legacy authentication methods in per-user MFA; the authentication methods blade simply allows you to enable different sorts of methods for users, not enforce them. You can enforce MFA using per-user MFA or, if you wish, a Conditional access policy. To enforce MFA with Conditional Access Policy, you must have a premium license P1.

    If users are not being prompted for MFA, can you test with a user by revoking the MFA sessions? It's possible that stored cookies in browsers are causing the issue. Try it in a private window and see if the user is being prompted or not, and check the sign in log for that specific sign in. If the user completed single factor or multi factor authentication, you could provide a screenshot of the sign in log. 

    Hope this helps. Do let us know if you have any further queries.

    If this answers your query, do click `Accept Answer` and `Yes`.

    Thanks,

    B. Siri Chandana.

    1 person found this answer helpful.
    0 comments No comments

  2. Moritz 20 Reputation points
    2024-12-03T14:53:04.01+00:00

    Hi,

    late reaction... busy... sorry.

    I activated one user @per user mfa. I first DID NOT take the user to a "mfa group" that i created for MFA... Campaign etc. The user GOT a prompt to use MFA. But NO methods were to choose for the user. Then i DID add the user to "my MFA group". Then the user could choose a method and the mfa activation was successful. I think i now understand that the "authentication methods" and the "multifactor authentication" do not work for their own. They seem to depend on "per user mfa" etc. I think i am now going to activate all user little by little. I will give up to get success with a registration campaign. its ok.

    Thanks a lot for help


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.